Hi all,
Following up on this issue...
On Fri, Jun 9, 2023 at 12:41 PM Emilia Torino
<emilia.torino@xxxxxxxxxxxxx> wrote:
Hi all,
On 9/6/23 06:20, Cristovao Cordeiro wrote:
> Sounds good to me. @Emilia Torino
> <mailto:emilia.torino@xxxxxxxxxxxxx> do you
need those repos to exist in
> Docker Hub before you can onboard these?
We don't. Since we don't scan the upstream
based ROCKs (we only need
this for the deb based ones).
>
> On Fri, Jun 9, 2023 at 10:42 AM Luca Bello
<luca.bello@xxxxxxxxxxxxx
> <mailto:luca.bello@xxxxxxxxxxxxx>> wrote:
>
> Hello everyone,
>
> as mentioned before, the ROCKs we have
are all based on upstream
> projects; the list is the following, as
required:
>
> * Alertmanager
(https://github.com/prometheus/alertmanager
> <https://github.com/prometheus/alertmanager>)
> * Grafana Agent
(https://github.com/grafana/agent
> <https://github.com/grafana/agent>)
> * Grafana (https://github.com/grafana/grafana
> <https://github.com/grafana/grafana>)
> * Loki (https://github.com/grafana/loki
> <https://github.com/grafana/loki>)
> * Mimir (https://github.com/grafana/mimir
> <https://github.com/grafana/mimir>)
> * SeaweedFS
(https://github.com/seaweedfs/seaweedfs
> <https://github.com/seaweedfs/seaweedfs>)
> * Traefik (https://github.com/traefik/traefik
> <https://github.com/traefik/traefik>)
>
> Please let me know if any of these qualifies!
I am not sure how urgent is this, but if you
help me identify the Ubuntu
source packages associated we can make this
faster. Otherwise we can
work on this next week.
Did you have a chance to check this?
>
>
> Cheers,
>
> Luca
>
> On 31/05/2023 18:29, Cristovao Cordeiro
wrote:
>>
>> So the only change from our side
will be to add
>> prometheus to the email notification
subject (or I guess we
>> can just
>> simple replace it with "CVEs
potentially affecting upstream based
>> ROCKs"). Are the email recipients
the same ones for the other
>> ones?
>>
>>
>> I think that would be fine for now. I'm
reluctant to use the
>> mailing list as a catch-all, but I think
we can re-design this
>> once there is an event bus at Canonical,
so we rely less on emails.
>>
>> As for the other 10 ROCKs, @Luca Bello
>> <mailto:luca.bello@xxxxxxxxxxxxx> let's
first do the right due
>> diligence on those, cause if a ROCK is
not meant to be under the
>> "ubuntu" namespace, then this security
monitoring doesn't need to
>> apply.
>>
>> On Wed, May 31, 2023 at 3:58 PM Emilia
Torino
>> <emilia.torino@xxxxxxxxxxxxx
<mailto:emilia.torino@xxxxxxxxxxxxx>>
>> wrote:
>>
>>
>> Hi all,
>>
>> On 31/5/23 04:03, Luca Bello wrote:
>> > Hi everyone,
>> >
>> > as said in the thread already, the
prometheus image is
>> indeed a ROCK
>> > based on the
*prometheus/prometheus* repository.
>>
>> That's very convenient. But just to
be clear again, we are not
>> "inspecting" the upstream based rocks the
same way we do for
>> the deb
>> based ones. We are only monitoring
new CVEs created for
>> prometheus,
>> protobuf and consul. So the only
change from our side will be
>> to add
>> prometheus to the email notification
subject (or I guess we
>> can just
>> simple replace it with "CVEs
potentially affecting upstream based
>> ROCKs"). Are the email recipients
the same ones for the other
>> ones?
>>
>> >
>> > We're in the process of updating
all of our ROCKs in a
>> similar way,
>> > meaning we want to make sure we
are complying with any
>> guidelines you
>> > might have on them.
>> > We have about 10 ROCKs at the
moment, mostly based on
>> upstream projects
>> > just like this one. Should I share
the full list, so you can
>> track them?
>>
>> I am happy to do an analysis of this
list to see if we can add
>> more. The
>> short answer would be that if the
software is packaged as a
>> deb in main
>> or universe (which is the situation
for prometheus, protobuf
>> and consul)
>> then we can simply add them. This is
because the service is
>> based on the
>> existing CVE triage work the
security team does, which is
>> mainly for
>> debs (although now is being extended
to other ecosystems
>> because of SOSS
>> but it is still limited and mainly
supporting NVIDIA software).
>>
>> A simple improvement though could be
to map the projects to
>> the rocks so
>> you dont get a general notification,
but one per ROCK as the
>> USNs/debs
>> based service does. We can work on
adding this for the next cycle.
>>
>> >
>> >
>> > Cheers,
>> >
>> > Luca
>> >
>> >
>> > On 31/05/2023 08:12, Cristovao
Cordeiro wrote:
>> >> Thank you for the swift action,
Emilia!
>> >>
>> >> > Does this
>> >> > relate to a question being
asked some hours ago in
>> >> > ~Security
>> >>
>>
https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo
<https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>> >>
>> >> Yes, precisely. @Luca Bello
>> <mailto:luca.bello@xxxxxxxxxxxxx
>> <mailto:luca.bello@xxxxxxxxxxxxx>> is in
>> >> the process of updating that
image and we're re-doing our
>> due diligence.
>> >> Luca can confirm, but this seems
to be a ROCK based
>> precisely on that
>> >> upstream Prometheus repository
that you are already monitoring
>> >>
>>
(https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19
<https://github.com/canonical/prometheus-rock/blob/main/rockcraft.yaml#L19>).
>> >>
>> >> Can we then add this image to
your list of tracked ROCKs?
>> >>
>> >>
>> >> On Tue, May 30, 2023 at 9:45 PM
Emilia Torino
>> >> <emilia.torino@xxxxxxxxxxxxx
>>
<mailto:emilia.torino@xxxxxxxxxxxxx>> wrote:
>> >>
>> >> Hey all,
>> >>
>> >> On 30/5/23 13:14, Emilia Torino
wrote:
>> >> > Hi Cristovao,
>> >> >
>> >> > On 30/5/23 09:41, Cristovao
Cordeiro wrote:
>> >> >> Hi Emilia,
>> >> >>
>> >> >> could you please confirm the
`prometheus` container
>> image is being
>> >> >> monitored?
>> >> >
>> >> > I don't see prometheus being
monitored by our
>> services (not as a
>> >> rock
>> >> > based on upstream source code
nor as a rock based on
>> debs). Does
>> >> this
>> >> > relate to a question being
asked some hours ago in
>> >> > ~Security
>> >>
>>
https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo
<https://chat.canonical.com/canonical/pl/dchhoa7wxtyiper7rbk8h43mjo>?
>> >> >
>> >> >
>> >> > These emails' subject only
mentions cortex and
>> telegraf, but
>> >> >> I can see
"https://github.com/prometheus/prometheus
>>
<https://github.com/prometheus/prometheus>
>> >> >>
<https://github.com/prometheus/prometheus
>>
<https://github.com/prometheus/prometheus>>"
in the body of the
>> >> email.
>> >> >
>> >> > Apologize for the confusion,
this sounds like a bug
>> in the email
>> >> content
>> >> > generator code. I will take a
look at it later.
>> >>
>> >> I investigated this bug and it
should be solved
>> already. There was an
>> >> issue in the past, but we fixed
it already. I thought
>> it could be
>> >> related but I see this
notification you are asking is
>> from March.
>> >> If you
>> >> check the last notification sent
on Thu, May 4, 2:03 AM
>> is correctly
>> >> reporting about a single package
(cortex only).
>> >>
>> >> Let me know if you have any
further question.
>> >>
>> >> In this case, only a new
>> >> > CVE affecting consul has been
created in our tracker
>> >> >
>> >>
>>
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
<https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>.
>> >> >
>> >> > Still, this does not mean
cortex and telegraf are
>> affected,
>> >> since this
>> >> > needs triage (i.e. understand
if the code/version
>> present in the
>> >> rocks
>> >> > are indeed vulnerable).
>> >> >
>> >> > FYI the reason why
>> https://github.com/prometheus/prometheus
>>
<https://github.com/prometheus/prometheus> (and
>> >> also
>> >> > https://github.com/gogo/protobuf
>> <https://github.com/gogo/protobuf>)
are listed in this email, is
>> >> because
>> >> > these 3 are the *only*
upstream projects we are
>> monitoring
>> >> (because of
>> >> > the bug the 3 are incorrectly
listed in the email,
>> only consul
>> >> should
>> >> > be). In other words, we are
not scanning every
>> upstream source
>> >> project
>> >> > which is used to build cortex
and telegraf.
>> >> >
>> >> > There are reasons why this
service is very limited,
>> and I hope this
>> >> > is/was clear. Let me know if
you need more information.
>> >> >
>> >> > Emilia
>> >> >
>> >> >
>> >> >>
>> >> >> ---------- Forwarded message
---------
>> >> >> From:
<security-team-toolbox-bot@xxxxxxxxxxxxx
>>
<mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>
>> >> >>
<mailto:security-team-toolbox-bot@xxxxxxxxxxxxx
>>
<mailto:security-team-toolbox-bot@xxxxxxxxxxxxx>>>
>> >> >> Date: Sat, Mar 11, 2023 at
6:03 AM
>> >> >> Subject:
[Ubuntu-docker-images] CVEs potentially
>> affecting
>> >> cortex and
>> >> >> telegraf
>> >> >> To:
<ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >> >>
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>>,
>> >> >> <sergio.durigan@xxxxxxxxxxxxx
>> <mailto:sergio.durigan@xxxxxxxxxxxxx>
>> >> <mailto:sergio.durigan@xxxxxxxxxxxxx
>> <mailto:sergio.durigan@xxxxxxxxxxxxx>>>,
>> >> >> <emilia.torino@xxxxxxxxxxxxx
>> <mailto:emilia.torino@xxxxxxxxxxxxx>
>> >> <mailto:emilia.torino@xxxxxxxxxxxxx
>> <mailto:emilia.torino@xxxxxxxxxxxxx>>>,
>> >> >> <alex.murray@xxxxxxxxxxxxx
>> <mailto:alex.murray@xxxxxxxxxxxxx>
>> <mailto:alex.murray@xxxxxxxxxxxxx
>> <mailto:alex.murray@xxxxxxxxxxxxx>>>,
>> >> >> <simon.aronsson@xxxxxxxxxxxxx
>> <mailto:simon.aronsson@xxxxxxxxxxxxx>
>> >> <mailto:simon.aronsson@xxxxxxxxxxxxx
>> <mailto:simon.aronsson@xxxxxxxxxxxxx>>>,
>> >> >>
<dylan.stephano-shachter@xxxxxxxxxxxxx
>>
<mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>
>> >> >>
<mailto:dylan.stephano-shachter@xxxxxxxxxxxxx
>>
<mailto:dylan.stephano-shachter@xxxxxxxxxxxxx>>>
>> >> >>
>> >> >>
>> >> >> New CVEs affecting packages
used to build upstream
>> based rocks
>> >> have been
>> >> >> created in the Ubuntu CVE
tracker:
>> >> >>
>> >> >> *
https://github.com/gogo/protobuf
>> <https://github.com/gogo/protobuf>
>> >> <https://github.com/gogo/protobuf
>> <https://github.com/gogo/protobuf>>:
>> >> >> *
https://github.com/hashicorp/consul
>> <https://github.com/hashicorp/consul>
>> >> >>
<https://github.com/hashicorp/consul
>>
<https://github.com/hashicorp/consul>>:
CVE-2023-0845
>> >> >> *
https://github.com/prometheus/prometheus
>>
<https://github.com/prometheus/prometheus>
>> >> >>
<https://github.com/prometheus/prometheus
>>
<https://github.com/prometheus/prometheus>>:
>> >> >>
>> >> >> Please review your rock to
understand if it is
>> affected by
>> >> these CVEs.
>> >> >>
>> >> >> Thank you for your rock and
for attending to this
>> matter.
>> >> >>
>> >> >> References:
>> >> >>
>> >>
>>
https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
<https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>
>> >> >>
>> >>
>>
<https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845
<https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-0845>>
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Mailing list:
>> https://launchpad.net/~ubuntu-docker-images
>>
<https://launchpad.net/~ubuntu-docker-images>
>> >> >>
<https://launchpad.net/~ubuntu-docker-images
>>
<https://launchpad.net/~ubuntu-docker-images>>
>> >> >> Post to :
>> ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>
>> >> >>
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx
>>
<mailto:ubuntu-docker-images@xxxxxxxxxxxxxxxxxxx>>
>> >> >> Unsubscribe :
>> https://launchpad.net/~ubuntu-docker-images
>>
<https://launchpad.net/~ubuntu-docker-images>
>> >> >>
<https://launchpad.net/~ubuntu-docker-images
>>
<https://launchpad.net/~ubuntu-docker-images>>
>> >> >> More help :
https://help.launchpad.net/ListHelp
>> <https://help.launchpad.net/ListHelp>
>> >> >>
<https://help.launchpad.net/ListHelp
>> <https://help.launchpad.net/ListHelp>>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Cris
>> >>
>> >>
>> >>
>> >> --
>> >> Cris
>>
>>
>>
>> --
>> Cris
> ____
>
>
>
> --
> Cris
